SSH tunneling

SSH tunneling is a method of transporting data over an encrypted SSH connection. It can be used to access endpoints that are protected by a firewall or to add encryption to an otherwise unencrypted channel. Tunneling is part of the Secure Shell (SSH) Connection Protocol, RFC4254 and is also referred to as local or remote port forwarding.

A connection managed within the Things service supports establishing an SSH tunnel (local port forwarding) to connect to the target endpoint. You can enable and configure it in the connection management section of the Things UI. Once configured, Things service takes care of creating a tunnel and connecting to it, in order to establish a connection to the actual endpoint.

The state of the tunnel is reported in the connection logging section in the UI. This can be very helpful to diagnose connectivity problems.

Tunnel configuration

The following information is required to configure a tunnel:

SSH host

The host and port of the SSH server provided in the format ssh://<host>:<port>.


The credentials used to authenticate at the SSH server. Things supports password authentication and public key authentication.

Host validation

note It is highly recommended to enable validation of the SSH host in productive systems. Nevertheless, it might be helpful to disable it temporarily for testing purposes.

A list of accepted public key fingerprints can be configured in the configuration of the SSH tunnel.


This screenshot shows an example of how such a configuration might look like. SSH tunnel

Further reading

In case you need to manage the connection settings via HTTP API, see PUT ​/solutions​/{solutionId}​/namespaces​/{namespaceId}

tip The blog post Support SSH tunneling for managed connections also provides a brief introduction. All details are provides in the Eclipse Ditto documentation.

Corporate information Data protection notice Legal information Support Free plans